Monitoring adversary access to sensitive process memory via the /proc filesystem to extract credential material, often involving multi-step access to /proc/[pid]/mem or /proc/[pid]/maps combined with privilege escalation or credential scraping binaries.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open, read |
| File Modification (DC0061) | auditd:SYSCALL | write |
| Process Access (DC0035) | auditd:SYSCALL | ptrace or process_vm_readv |
| Process Creation (DC0032) | linux:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| AccessedFilePath | Monitored paths such as /proc/[pid]/mem or /proc/[pid]/maps may need to be scoped based on environment |
| ProcessName | Command-line or binary names associated with credential scraping tools may vary |
| UserContext | Elevated user or unexpected user context accessing other process memory may indicate malicious activity |
| TimeWindow | Correlating memory access with process creation or ptrace activity within a specific time range |